P2P communication across middleboxes(術(shù)語篇)
2. Terminology
2. 術(shù)語
In this section we first summarize some middlebox terms. We focus hereon the two kinds of middleboxes that commonly cause problems for P2P applications.
在這一章節(jié)中,首先概要的介紹一下“代理”技術(shù)的一些術(shù)語。然后集中討論兩種造成P2P應(yīng)用問題的代理機(jī)制。
Firewall
A firewall restricts communication between a private internal network and the public Internet, typically by dropping packets that are deemed unauthorized. A firewall examines but does not modify the IP address and TCP/UDP port information in packets crossing the boundary.
防火墻
防火墻限制了私網(wǎng)與公網(wǎng)的通信,它主要是將(防火墻)認(rèn)為未經(jīng)授權(quán)的的包丟棄,防火墻只是檢驗包的數(shù)據(jù),并不修改數(shù)據(jù)包中的IP地址和TCP/UDP端口信息。
Network Address Translator (NAT)
A network address translator not only examines but also modifies the header information in packets flowing across the boundary, allowing many hosts behind the NAT to share the use of a smaller number of public IP addresses (often one). Network address translators in turn have two main varieties:
網(wǎng)絡(luò)地址轉(zhuǎn)換(NAT)
當(dāng)有數(shù)據(jù)包通過時,網(wǎng)絡(luò)地址轉(zhuǎn)換器不僅檢查包的信息,還要將包頭中的IP地址和端口信息進(jìn)行修改。以使得處于NAT之后的機(jī)器共享幾個僅有的公網(wǎng)IP地址(通常是一個)。網(wǎng)絡(luò)地址轉(zhuǎn)換器主要有兩種類型:
Basic NAT
A Basic NAT maps an internal host's private IP address to a public IP address without changing the TCP/UDP port numbers in packets crossing the boundary. Basic NAT is generally only useful when the NAT has a pool of public IP addresses from which to make address bindings on behalf of internal hosts.
基礎(chǔ)NAT
基礎(chǔ)NAT 將私網(wǎng)主機(jī)的私有IP地址轉(zhuǎn)換成公網(wǎng)IP地址,但并不將TCP/UDP端口信息進(jìn)行轉(zhuǎn)換。基礎(chǔ)NAT一般用在當(dāng)NAT擁有很多公網(wǎng)IP地址的時候,它將公網(wǎng)IP地址與內(nèi)部主機(jī)進(jìn)行綁定,使得外部可以用公網(wǎng)IP地址訪問內(nèi)部主機(jī)。(譯者注:實際上是只將IP轉(zhuǎn)換,192.168.0.23 <-> 210.42.106.35,這與直接設(shè)置IP地址為公網(wǎng)IP還是有一定區(qū)別的,特別是對于企業(yè)來說,外部的信息都要經(jīng)過統(tǒng)一防火墻才能到達(dá)內(nèi)部,但是內(nèi)部主機(jī)又可以使用公網(wǎng)IP)
Network Address/Port Translator (NAPT)
By far the most common, a Network Address/Port Translator examines and modifies both the IP address and the TCP/UDP port number fields of packets crossing the boundary, allowing multiple internal hosts to share a single public IP address simultaneously.
Refer to [NAT-TRAD] and [NAT-TERM] for more general information on NAT taxonomy and terminology. Additional terms that further classify NAPT are defined in more recent work [STUN]. When an internal host opens an outgoing TCP or UDP session through a network address/port translator, the NAPT assigns the session a public IP address and port number so that subsequent response packets from the external endpoint can be received by the NAPT, translated, and forwarded to the internal host. The effect is that the NAPT establishes a port binding between (private IP address, private port number) and (public IP address, public port number).
The port binding defines the address translation the NAPT will perform for the duration of the session. An issue of relevance to P2P applications is how the NAT behaves when an internal host initiates multiple simultaneous sessions from a single (private IP, private port) pair to multiple distinct endpoints on the external network.
網(wǎng)絡(luò)地址和端口轉(zhuǎn)換 (NAPT)
這是最普遍的情況,網(wǎng)絡(luò)地址/端口轉(zhuǎn)換器檢查、修改包的IP地址和TCP/UDP端口信息,這樣,更多的內(nèi)部主機(jī)就可以同時使用一個公網(wǎng)IP地址。
請參考[NAT-TRAD]和[NAT-TERM]兩個文檔了解更多的NAT分類和術(shù)語信息。另外,關(guān)于NAPT的分類和術(shù)語,[STUN]在最近做了更多的定義。當(dāng)一個內(nèi)部網(wǎng)主機(jī)通過NAT打開一個“外出”的TCP或UDP會話時,NAPT分配給這個會話一個公網(wǎng)IP和端口,用來接收外網(wǎng)的響應(yīng)的數(shù)據(jù)包,并經(jīng)過轉(zhuǎn)換通知內(nèi)部網(wǎng)的主機(jī)。這樣做的效果是,NAPT在 [私有IP:私有端口] 和[公網(wǎng)IP:公網(wǎng)端口]之間建立了一個端口綁定。
端口綁定指定了NAPT將在這個會話的生存期內(nèi)進(jìn)行地址轉(zhuǎn)換任務(wù)。這中間存在一個這樣的問題,如果P2P應(yīng)用程序從內(nèi)部網(wǎng)絡(luò)的一個[私有IP地址:端口]對同時發(fā)出多條會話給不同的外網(wǎng)主機(jī),那么NAT會怎樣處理呢?請看以下幾種方案。
Cone NAT
After establishing a port binding between a (private IP, private port) tuple and a (public IP, public port) tuple, a cone NAT will re-use this port binding for subsequent sessions the application may initiate from the same private IP address and port number, for as long as at least one session using the port binding remains active.
錐形NAT
(譯者注:為什么叫做錐形呢?請看以下圖形,終端和外部服務(wù)器,都通過NAT分派的這個綁定地址對來傳送信息,就象一個漏斗一樣,篩選并傳遞信息)
當(dāng)建立了一個 [私有IP:端口]-[公網(wǎng)IP:端口] 端口綁定之后,對于來自同一個[私有IP:端口]會話,錐形NAT服務(wù)器允許發(fā)起會話的應(yīng)用程序 重復(fù)使用這個端口綁定,一直到這個會話結(jié)束才解除(端口綁定)。
For example, suppose Client A in the diagram below initiates two simultaneous outgoing sessions through a cone NAT, from the same internal endpoint (10.0.0.1:1234) to two different external servers, S1 and S2. The cone NAT assigns just one public endpoint tuple(元組), 155.99.25.11:62000, to both of these sessions, ensuring that the "identity" of the client's port is maintained across address translation. Since Basic NATs and firewalls do not modify port numbers as packets flow across the middlebox, these types of middleboxes can be viewed as a degenerate form of Cone NAT.
例如,假設(shè) Client A(IP地址信息如上圖所示)通過一個 錐形NAT 同時發(fā)起兩個外出的連接,它使用同一個內(nèi)部端口(10.0.0.1:1234)給公網(wǎng)的兩臺不同的服務(wù)器,S1和S2。錐形NAT 只分配一個公網(wǎng)IP和端口(155.99.25.11:62000)給這個兩個會話,通過地址轉(zhuǎn)換可以 確保 Client使用端口的“同一性”(譯者注:即這個Client只使用這個端口)。而基礎(chǔ)NATs和防火墻卻不能修改經(jīng)過的數(shù)據(jù)包端口號,它們可以看作是錐形NAT的精簡版本。
Symmetric NAT
A symmetric NAT, in contrast, does not maintain a consistent port binding between (private IP, private port) and (public IP, public port) across all sessions.
Instead, it assigns a new public port to each new session. For example, suppose Client A initiates two outgoing sessions from the same port as above, one with S1 and one with S2. A symmetric NAT might allocate the public endpoint 155.99.25.11:62000 to session 1, and then allocate a different public endpoint 155.99.25.11:62001, when the application initiates session 2. The NAT is able to differentiate between the two sessions for translation purposes because the external endpoints involved in the sessions (those of S1 and S2) differ, even as the endpoint identity of the client application is lost across the address translation boundary.
對稱NAT
對稱NAT,與Cone NAT是大不相同的,并不對會話進(jìn)行端口綁定,而是分配一個全新的 公網(wǎng)端口 給每一個新的會話。
還是上面那個例子:如果 Client A (10.0.0.1:1234)同時發(fā)起兩個 "外出" 會話,分別發(fā)往S1和S2。對稱Nat會分配公共地址155.99.25.11:62000給Session1,然后分配另一個不同的公共地址155.99.25.11:62001給Session2。對稱Nat能夠區(qū)別兩個不同的會話并進(jìn)行地址轉(zhuǎn)換,因為在 Session1 和 Session2中的外部地址是不同的,正是因為這樣,Client端的應(yīng)用程序就迷失在這個地址轉(zhuǎn)換邊界線了,因為這個應(yīng)用程序每發(fā)出一個會話都會使用一個新的端口,無法保障只使用同一個端口了。
'
The issue of cone versus symmetric NAT behavior applies equally to TCP and UDP traffic. Cone NAT is further classified according to how liberally the NAT accepts incoming traffic directed to an already-established (publicIP, public port) pair. This classification generally applies only to UDP traffic, since NATs and firewalls reject incoming TCP connection attempts unconditionally unless specifically configured to do otherwise.
在TCP和UDP通信中, (到底是使用同一個端口,還是分配不同的端口給同一個應(yīng)用程序),錐形NAT和對稱NAT各有各的理由。當(dāng)然錐形NAT在根據(jù)如何公平地將NAT接受的連接直達(dá)一個已創(chuàng)建的地址對上有更多的分類。這個分類一般應(yīng)用在Udp通信(而不是Tcp通信上),因為NATs和防火墻阻止了試圖無條件傳入的TCP連接,除非明確設(shè)置NAT不這樣做。這些分類如下:
Full Cone NAT
After establishing a public/private port binding for a new outgoing session, a full cone NAT will subsequently accept incoming traffic to the corresponding public port from ANY external endpoint on the public network. Full cone NAT is also sometimes called "promiscuous" NAT.
全雙工錐形NAT
當(dāng)內(nèi)部主機(jī)發(fā)出一個“外出”的連接會話,就會創(chuàng)建了一個 公網(wǎng)/私網(wǎng) 地址,一旦這個地址對被創(chuàng)建,全雙工錐形NAT會接收隨后任何外部端口傳入這個公共端口地址的通信。因此,全雙工錐形NAT有時候又被稱為"混雜"NAT。
Restricted Cone NAT
A restricted cone NAT only forwards an incoming packet directed to a public port if its external (source) IP address matches the address of a node to which the internal host has previously sent one or more outgoing packets. A restricted cone NAT effectively refines the firewall principle of rejecting unsolicited incoming traffic, by restricting incoming traffic to a set of "known" external IP addresses.
受限制的錐形NAT
受限制的錐形NAT會對傳入的數(shù)據(jù)包進(jìn)行篩選,當(dāng)內(nèi)部主機(jī)發(fā)出“外出”的會話時,NAT會記錄這個外部主機(jī)的IP地址信息,所以,也只有這些有記錄的外部IP地址,能夠?qū)⑿畔魅氲絅AT內(nèi)部,受限制的錐形NAT 有效的給防火墻提煉了篩選包的原則——即限定只給那些已知的外部地址“傳入”信息到NAT內(nèi)部。
Port-Restricted Cone NAT
A port-restricted cone NAT, in turn, only forwards an incoming packet if its external IP address AND port number match those of an external endpoint to which the internal host has previously sent outgoing packets. A port-restricted cone NAT provides internal nodes the same level of protection against unsolicited incoming traffic that a symmetric NAT does, while maintaining a private port's identity across translation.
端口受限制的Cone NAT
端口受限制的錐形NAT,與受限制的錐形NAT不同的是:它同時記錄了外部主機(jī)的IP地址和端口信息,端口受限制的錐形NAT給內(nèi)部節(jié)點提供了同一級別的保護(hù),在維持端口“同一性”過程中,將會丟棄對稱NAT傳回的信息。
Finally, in this document we define new terms for classifying the P2P-relevant behavior of middleboxes:
最后,在這篇文檔里我們將定義一組新的術(shù)語 ,以便更好的對P2P代理相關(guān)的行為進(jìn)行分類。
P2P應(yīng)用程序
P2P應(yīng)用程序是指,在已有的一個公共服務(wù)器的基礎(chǔ)上,并分別利用自己的私有地址或者公有地址(或者兩者兼?zhèn)洌﹣斫⒁粋€端到端的會話通信。
P2P-Application
P2P-application as used in this document is an application in which each P2P participant registers with a public registration server, and subsequently uses either its private endpoint, or public endpoint, or both, to establish peering sessions.
P2P-Middlebox
A P2P-Middlebox is middlebox that permits the traversal of P2P applications.
P2P代理
P2P代理是一個允許 P2P應(yīng)用程序進(jìn)行通信的代理機(jī)制
P2P-firewall
A P2P-firewall is a P2P-Middlebox that provides firewall functionality but performs no address translation.
P2P防火墻
P2P防火墻是一個提供了防火墻的功能的P2P代理,但是不進(jìn)行地址轉(zhuǎn)換.
P2P-NAT
A P2P-NAT is a P2P-Middlebox that provides NAT functionality, and may also provide firewall functionality. At minimum, a P2P-Middlebox must implement Cone NAT behavior for UDP traffic, allowing applications to establish robust P2P connectivity using the UDP hole punching technique.
P2P-NAT
P2P-NAT 是一個 P2P代理,提供了NAT的功能,也提供了防火墻的功能,一個最簡的P2P代理必須具有 錐形NAT對Udp通信支持的功能,并允許應(yīng)用程序利用Udp打洞技術(shù)建立強(qiáng)健的P2P連接。
Loopback translation
When a host in the private domain of a NAT device attempts to connect with another host behind the same NAT device using the public address of the host, the NAT device performs the equivalent of a "Twice-nat" translation on the packet as follows. The originating host's private endpoint is translated into its assigned public endpoint, and the target host's public endpoint is translated into its private endpoint, before the packet is forwarded to the target host. We refer the above translation performed by a NAT device as "Loopback translation".
回環(huán)轉(zhuǎn)換
當(dāng)NAT的私網(wǎng)內(nèi)部機(jī)器想通過公共地址來訪問同一臺局域網(wǎng)內(nèi)的機(jī)器的時,NAT設(shè)備等價于做了兩次NAT的事情,在包到達(dá)目標(biāo)機(jī)器之前,先將私有地址轉(zhuǎn)換為公網(wǎng)地址,然后再將公網(wǎng)地址轉(zhuǎn)換回私有地址。我們把具有上敘轉(zhuǎn)換功能的NAT設(shè)備叫做“回環(huán)轉(zhuǎn)換”設(shè)備。